CN111769940B - Online key distribution method, system and medium - Google Patents

Online key distribution method, system and medium Download PDF

Info

Publication number
CN111769940B
CN111769940B CN202010658367.8A CN202010658367A CN111769940B CN 111769940 B CN111769940 B CN 111769940B CN 202010658367 A CN202010658367 A CN 202010658367A CN 111769940 B CN111769940 B CN 111769940B
Authority
CN
China
Prior art keywords
terminal
private key
sending
key
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010658367.8A
Other languages
Chinese (zh)
Other versions
CN111769940A (en
Inventor
陆淳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi IoT Technology Co Ltd
Original Assignee
Tianyi IoT Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi IoT Technology Co Ltd filed Critical Tianyi IoT Technology Co Ltd
Priority to CN202010658367.8A priority Critical patent/CN111769940B/en
Publication of CN111769940A publication Critical patent/CN111769940A/en
Application granted granted Critical
Publication of CN111769940B publication Critical patent/CN111769940B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a method, a system and a medium for online distribution of a secret key, wherein the method comprises the following steps: the generated first public key is sent to the Internet of things general enabling platform through the terminal; sending a corresponding ciphertext of a second private key to the terminal through the Internet of things universal enabling platform according to the first public key; and generating terminal signature information through a terminal according to the ciphertext of the second private key, sending the terminal signature information to the Internet of things universal enabling platform, and finishing identity authentication and/or data encryption by the Internet of things universal enabling platform. The invention can realize the on-line distribution of the terminal private key, and only transmits the private key ciphertext in the distribution process, thereby ensuring the security of private key transmission; in addition, the method has the advantages of simple interaction process and strong expansibility, is suitable for application scenes such as identity authentication, data encryption and the like, and can be widely applied to the technical field of the Internet of things.

Description

Online key distribution method, system and medium
Technical Field
The invention relates to the technical field of Internet of things, in particular to a method, a system and a medium for online distribution of a secret key.
Background
Signature authentication is an authentication mode based on digital signatures, a private key used for signature by a terminal is generally generated by a platform, the distribution process of the private key is generally realized by offline operation at present, and the private key needs to be manually downloaded from the platform and then imported into the terminal. For the internet of things terminal equipment produced in batch, the process of canning the secret key consumes time, and the security of the secret key cannot be guaranteed.
In addition, for the key Security problem, the packet Transport Layer Security protocol (DTLS) can implement secure negotiation of keys, but there are the following limitations in the application:
1) The DTLS realizes channel encryption and is not suitable for an application scene only needing identity authentication;
2) DTLS relies on the realization of an SSL library, and the selectable encryption suite and security algorithm are limited, so that the expandability is poor;
3) The handshake process is complex, the message interaction period is long, and the requirement on network performance is high.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, a system, and a medium for online key distribution with high security, strong extensibility, and simple interaction process.
The first aspect of the present invention provides a method for online key distribution, which is applied to a terminal and includes:
sending the generated first public key to an Internet of things universal enabling platform;
receiving a ciphertext of a second private key sent by the Internet of things general enabling platform;
and generating terminal signature information according to the ciphertext of the second private key, and sending the terminal signature information to the universal enabling platform of the Internet of things.
In some embodiments, the sending the generated public key to the internet of things universal enabling platform includes:
generating a first public and private key pair through a security module unit;
sending a first public key to a control unit through the security module according to the first public and private key pair;
and sending the first public key to the Internet of things universal enabling platform through the control unit.
In some embodiments, the generating terminal signature information according to the private key ciphertext includes:
sending the ciphertext of the second private key to a security module through a control unit;
sending a plaintext of a second private key corresponding to the ciphertext of the second private key to the control unit through the security module;
and signing the identity information according to the second private key plaintext to generate terminal signature information.
The second aspect of the present invention provides an online key distribution method, which is applied to a universal enabling platform of the internet of things, and includes:
receiving a first public key sent by a terminal;
sending a corresponding ciphertext of a second private key to the terminal according to the first public key;
and receiving terminal signature information sent by a terminal, and performing identity authentication and/or data encryption according to the terminal signature information.
In some embodiments, further comprising the steps of:
and distributing the plaintext of the second private key for the terminal through the first cipher machine.
In some embodiments, the sending a corresponding private key ciphertext to the terminal according to the first public key includes:
identifying a terminal identifier through a bootstrap server;
sending the terminal identification and the first public key to an lwm2m server, and sending the terminal identification and the first public key to a first cipher machine by the lwm2m server;
sending the plain texts of the first public key and the second private key to a second cipher machine through the first cipher machine;
encrypting the plaintext of the second private key through the second cipher machine according to the first public key to obtain the ciphertext of the second private key;
sending the ciphertext of the second private key to the first cipher machine through the second cipher machine;
sending the ciphertext of the second private key to an lwm2m server through the first cipher machine;
sending the ciphertext of the second private key to a bootstrap server through the lwm2m server;
and sending the ciphertext of the second private key to the terminal through the bootstrap server side.
In some embodiments, the receiving terminal signature information sent by the terminal, and performing identity authentication and/or data encryption according to the terminal signature information includes:
receiving the terminal signature information through an lwm2m server;
sending the terminal signature information to a first cipher machine through an lwm2m server side;
and the terminal signature information is subjected to signature verification processing through the first cipher machine, and identity authentication is completed.
In some embodiments, the first cryptographic engine comprises a sm9 cryptographic engine; the second crypto machine comprises a sm2 crypto machine.
The third aspect of the invention provides a key online distribution system, which comprises a terminal and an internet of things universal enabling platform;
wherein, the terminal includes:
the security module is used for generating a first public and private key pair and sending a first public key to the control unit; the control unit is used for sending the plaintext of the second private key corresponding to the ciphertext of the second private key to the control unit;
the control unit is used for sending the first public key to the Internet of things universal enabling platform; the terminal signature information is generated by signing the identity information according to the second private key plaintext;
the general enabling platform of thing networking includes:
the bootstrap server is used for receiving a first public key sent by the terminal; for identifying the terminal identification; the terminal is used for configuring a second private key ciphertext of the terminal to the terminal;
the lwm2m server is used for realizing signal communication between the bootstrap server and the first cipher machine;
the first cipher machine is used for distributing the plaintext of the second private key; the first cipher machine is used for sending the first public key and the second private key to a second cipher machine;
and the second cipher machine is used for encrypting the plaintext of the second private key to obtain the ciphertext of the second private key.
A fourth aspect of the present invention provides a storage medium storing a program which is executed by a processor to perform the method as set forth in the first or second aspect of the present invention.
The embodiment of the invention sends the generated first public key to the general enabling platform of the Internet of things through the terminal; sending a corresponding ciphertext of a second private key to the terminal through the Internet of things universal enabling platform according to the first public key; and generating terminal signature information through a terminal according to the ciphertext of the second private key, sending the terminal signature information to the Internet of things universal enabling platform, and finishing identity authentication and/or data encryption by the Internet of things universal enabling platform. The invention can realize the on-line distribution of the terminal private key, and only transmits the private key ciphertext in the distribution process, thereby ensuring the security of private key transmission; in addition, the method has the advantages of simple interactive flow and strong expansibility, and is suitable for application scenes such as identity authentication, data encryption and the like.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a first timing diagram according to an embodiment of the present invention;
FIG. 2 is a second timing diagram according to an embodiment of the present invention.
Detailed Description
The invention will be further explained and explained with reference to the drawings and the embodiments in the description. The step numbers in the embodiments of the present invention are set for convenience of illustration only, the order between the steps is not limited at all, and the execution order of each step in the embodiments can be adaptively adjusted according to the understanding of those skilled in the art.
Aiming at the problems in the prior art, the invention provides a key online distribution method, wherein when the method is applied to a terminal, the method comprises the following steps:
sending the generated first public key to an Internet of things universal enabling platform;
receiving a ciphertext of a second private key sent by the Internet of things general enabling platform;
and generating terminal signature information according to the ciphertext of the second private key, and sending the terminal signature information to the Internet of things universal enabling platform to complete identity authentication.
In some embodiments, the sending the generated public key to the internet of things universal enabling platform includes:
generating a first public and private key pair through a security module unit;
sending a first public key to a control unit through the security module according to the first public and private key pair;
and sending the first public key to the Internet of things universal enabling platform through the control unit.
In some embodiments, the generating terminal signature information according to the private key ciphertext includes:
sending the ciphertext of the second private key to a security module through a control unit;
sending a plaintext of a second private key corresponding to the ciphertext of the second private key to the control unit through the security module;
and signing the identity information according to the second private key plaintext to generate terminal signature information.
In this embodiment, the identity information is signed by the security module according to the plaintext of the second private key, and signature information is generated and returned to the control unit.
The invention discloses a key online distribution method, which is applied to an Internet of things universal enabling platform and comprises the following steps:
receiving a first public key sent by a terminal;
sending a corresponding ciphertext of a second private key to the terminal according to the first public key;
and receiving terminal signature information sent by a terminal, and performing identity authentication according to the terminal signature information.
In some embodiments, further comprising the steps of:
and distributing the plaintext of the second private key for the terminal through the first cipher machine.
In some embodiments, the sending a corresponding private key ciphertext to the terminal according to the first public key includes:
identifying a terminal identifier through a bootstrap server side;
sending the terminal identification and the first public key to an lwm2m server, and sending the terminal identification and the first public key to a first cipher machine by the lwm2m server;
sending the plain texts of the first public key and the second private key to a second cipher machine through the first cipher machine;
encrypting a plaintext of the second private key through the second cipher machine according to the first public key to obtain a ciphertext of the second private key;
sending the ciphertext of the second private key to the first cipher machine through the second cipher machine;
sending the ciphertext of the second private key to an lwm2m server through the first cipher machine;
sending the ciphertext of the second private key to a bootstrap server through the lwm2m server;
and sending the ciphertext of the second private key to the terminal through the bootstrap server side.
The LwM2M server refers to an LwM2M server (LwM 2M server), and an LwM2M logic entity defined by OMA is provided, and in the invention, the LwM2M server is a component of a universal enabling platform and is responsible for verifying and signing terminal signature information to realize terminal identity authentication.
The bootstrap server refers to an LwM2M boot server (LwM 2M bootstrap-server), an LwM2M logical entity defined by OMA, and in the present invention, the server is responsible for receiving a first public key of a terminal and configuring a second private key ciphertext to the terminal.
In some embodiments, the receiving terminal signature information sent by a terminal, and performing identity authentication according to the terminal signature information includes:
receiving the terminal signature information through an lwm2m server;
sending the terminal signature information to a first cipher machine through an lwm2m server side;
and the terminal signature information is subjected to signature verification processing through the first cipher machine, and identity authentication is completed.
In some embodiments, the first cryptographic engine comprises a sm9 cryptographic engine; the second crypto machine comprises a sm2 crypto machine.
It should be noted that, in some embodiments, one cipher machine simultaneously implements the sm9 algorithm and the sm2 algorithm, that is, the first cipher machine and the second cipher machine may be combined into one cipher machine, and the cipher machine can simultaneously implement the functions of the sm9 algorithm and the sm2 algorithm.
Referring to fig. 1, in the embodiment of the present invention, an sm9 cipher is taken as a first cipher, and an sm2 cipher is taken as a second cipher, where an sm2 public key in the embodiment represents a first public key, an sm2 public-private key pair represents a first public-private key pair, an sm2 private key represents a first private key, an sm9 public key represents a second public key, and an sm9 private key represents a second private key.
Specifically, as shown in fig. 1, the method comprises the steps of:
s1, a sm9 cipher machine of the universal enabling platform is responsible for generating a unique sm9 private key for each terminal and is used for signing/verifying terminal identity information.
S2, a security module arranged in the Lwm2m terminal generates a pair of sm2 public/private keys for the terminal to encrypt/decrypt an sm9 private key of the terminal. The private key is stored in the safety module, so that the safety is improved.
The S3, sm2 public key is sent to the platform via a Bootstrap Request (epub in table 1 below).
And S4, the sm9 cipher machine of the universal enabling platform sends the stored clear text of the secret key sm9 of the terminal and the sm2 public key transmitted by the terminal to the sm2 cipher machine for encryption processing, and the sm2 public key is used for encrypting the sm9 secret key to obtain the sm9 secret key ciphertext.
And S5, writing the sm9 private key ciphertext (0/0/5 in the following table 2) into the terminal by the universal enabling platform through Bootstrap Write operation.
And S6, the security module of the terminal decrypts the ciphertext by using the locally stored sm2 private key to obtain sm9 private key plaintext.
And S7, the terminal signs the identity information by using the sm9 private key.
And S8, the terminal brings the identity information and the signature data to the platform for signature verification.
And S9, the universal enabling platform checks the signature data to realize the identity authentication capability.
It should be noted that, the following extension is made to the boottrap interface field in this embodiment:
1. the Bootstrap Request interface is implemented by a special EPN format: IMEI + sm9 { IMEI } + "indicates that the terminal wishes to request the sm9 private key through the Bootstrap interface;
2. the Bootstrap Request interface extension option kType is used for indicating the type of the requested key, and kType =2 represents that sm9 private key ciphertext is requested;
3. the Bootstrap Request interface extension option epub is used for transmitting a public key of a terminal, in the embodiment, the epub transmits a sm2 public key of the terminal, and a general enabling platform encrypts a sm9 private key by using the public key;
4. the Bootstrap Write interface transmits sm9 private key ciphertext through 0/0/5 defined by the LWM2M protocol, and transmits system parameters through 0/0/4, and the system parameters participate in the signature operation of sm 9.
Specifically, the description of the parameters of the Bootstrap Request interface in the Bootstrap interface field of this embodiment is shown in table 1; the description of the boottrap interface parameters of the boottrap interface field boottrap Write interface of the present embodiment is shown in table 2.
TABLE 1
Figure BDA0002577587290000061
TABLE 2
Figure BDA0002577587290000062
It should be noted that the online key distribution method of the present invention can be used for online distribution of various types of keys, in this embodiment, taking an application scenario of data encryption as an example, in the embodiment of the present invention, a K1 scrambler is used as a first scrambler, an sm9 scrambler is used as a second scrambler, and the first scrambler and the second scrambler in this embodiment are combined into one scrambler, as shown in fig. 2, which can implement both the operation of the first public key and the private key and the operation of the second key. The PubK public key of this embodiment represents the first public key, the PubK/PriK public and private key pair represents the first public and private key pair, the PriK private key represents the first private key, and K1 represents an encryption key in a symmetric algorithm.
As shown in fig. 2, the online key distribution method of the present embodiment includes the following steps:
s1, distributing a key K1 for data encryption to a terminal by an Internet of things universal enabling platform;
s2, a security module arranged in the lwm2m terminal generates a pair of asymmetric keys, namely PubK/PrIK, and a private key PrIK is locally stored;
s3, a public key PubK is sent to a universal enabling platform through a Bootstrap Request (such as epub in the table 1), and the value of a ktype option in the table 1 can be expanded according to different algorithms;
s4, the universal enabling platform uses the PubK to perform encryption operation on the K1 of the terminal;
s5, the universal enabling platform writes the encrypted K1 ciphertext (0/0/5 in the table 2) into the terminal through Bootstrap Write operation;
s6, a security module of the terminal decrypts the K1 ciphertext by using the PriK to obtain a K1 plaintext;
s7, the terminal logs in a general enabling platform, and the platform completes identity authentication on the terminal;
and S8, the service data of the terminal and the platform are encrypted and decrypted by using the K1, so that data ciphertext transmission is realized. And the terminal encrypts the service data by using K1 and then sends the service data to the platform, and decrypts the received platform downlink data by using K1 to obtain the data plaintext. The K1 adopts asymmetric encryption processing in the transmission process, thereby ensuring the safety of the K1.
In summary, compared with the prior art, the method of the present invention has the following advantages:
1. the online distribution of the terminal key can be realized, which is superior to the production mode of offline manual import;
2. the terminal key is transmitted in an asymmetric encryption mode, and a private key for decryption is generated by the terminal and locally stored, so that the security of key transmission is ensured; the traditional Bootstrap process can only realize the on-line distribution of the sm9 private key, but the invention can realize the on-line distribution of the ciphertext of the sm9 private key, so that the private key distribution process is safe and reliable.
3. The method has strong expansibility, can be combined with any encryption algorithm, and is suitable for various service requirements such as data encryption, identity authentication and the like. Currently mainstream symmetric algorithms: DES, 3DES, AES, sm1, sm4, asymmetric algorithm: RSA, sm2, sm9, etc. may be used in conjunction with the methods of the present technology.
4. The interaction process is simple, and the network resource consumption is less. For example, the DTLS handshake mechanism that has been used at present needs 7 message interactions to complete key agreement, but the method of the present invention can realize secure key distribution only through 2 signaling interactions of LWM 2M.
In addition, the embodiment of the invention also provides an online key distribution system, which comprises a terminal and an Internet of things universal enabling platform;
wherein, the terminal includes:
the security module is used for generating a first public and private key pair and sending a first public key to the control unit; the control unit is used for sending the plaintext of the second private key corresponding to the ciphertext of the second private key to the control unit;
the control unit is used for sending the first public key to the Internet of things universal enabling platform; the terminal signature information is generated by signing the identity information according to the second private key plaintext;
the general enabling platform of the Internet of things comprises:
the bootstrap server is used for receiving a first public key sent by the terminal; for identifying the terminal identification; the terminal is used for configuring a second private key ciphertext of the terminal to the terminal;
the lwm2m server is used for realizing signal communication between the bootstrap server and the first cipher machine;
the first cipher machine is used for distributing the plaintext of the second private key; the first cipher machine is used for sending the first public key and the second private key to a second cipher machine;
and the second cipher machine is used for encrypting the plaintext of the second private key to obtain the ciphertext of the second private key.
The invention also provides a storage medium, which stores a program, and the program is executed by a processor to complete the key online distribution method.
In alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flow charts of the present invention are provided by way of example in order to provide a more comprehensive understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed, and in which sub-operations described as part of larger operations are performed independently.
Furthermore, although the present invention is described in the context of functional modules, it should be understood that, unless otherwise indicated to the contrary, one or more of the described functions and/or features may be integrated in a single physical device and/or software module, or one or more functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary for an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be understood within the ordinary skill of an engineer, given the nature, function, and internal relationship of the modules. Accordingly, those skilled in the art can, using ordinary skill, practice the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative of and not intended to limit the scope of the invention, which is to be determined from the appended claims along with their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Further, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the description of the specification, reference to the description of "one embodiment," "some embodiments," "an example," "a specific example," or "some examples" or the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (5)

1. A key online distribution method is applied to a general enabling platform of the Internet of things, and is characterized by comprising the following steps:
receiving a first public key sent by a terminal;
sending a corresponding ciphertext of a second private key to the terminal according to the first public key;
receiving terminal signature information sent by a terminal, and performing identity authentication and/or data encryption according to the terminal signature information;
further comprising the steps of:
distributing a plaintext of a second private key for the terminal through a first cipher machine;
the sending a corresponding private key ciphertext to the terminal according to the first public key includes:
identifying a terminal identifier through a bootstrap server;
sending the terminal identification and the first public key to an lwm2m server, and sending the terminal identification and the first public key to a first cipher machine by the lwm2m server;
sending the plain texts of the first public key and the second private key to a second cipher machine through the first cipher machine;
encrypting the plaintext of the second private key through the second cipher machine according to the first public key to obtain the ciphertext of the second private key;
sending the ciphertext of the second private key to the first cipher machine through the second cipher machine;
sending the ciphertext of the second private key to the lwm2m server through the first cipher machine;
sending the ciphertext of the second private key to a bootstrap server through the lwm2m server;
and sending the ciphertext of the second private key to the terminal through the bootstrap server side.
2. The method for online distribution of the secret key according to claim 1, wherein the receiving the terminal signature information sent by the terminal and performing identity authentication and/or data encryption according to the terminal signature information comprises:
receiving the terminal signature information through an lwm2m server;
sending the terminal signature information to a first cipher machine through an lwm2m server side;
and the first cipher machine is used for carrying out signature verification processing on the terminal signature information to finish identity authentication and/or data encryption.
3. A method for on-line distribution of keys according to claim 2,
the first cipher machine comprises an sm9 cipher machine; the second crypto machine comprises a sm2 crypto machine.
4. An online key distribution system is characterized by comprising a terminal and an Internet of things universal enabling platform;
wherein, the terminal includes:
the security module is used for generating a first public and private key pair and sending a first public key to the control unit; the control unit is used for sending the plaintext of the second private key corresponding to the ciphertext of the second private key to the control unit;
the control unit is used for sending the first public key to the Internet of things general enabling platform; the terminal signature information is generated by signing the identity information according to the second private key plaintext;
the general enabling platform of thing networking includes:
the bootstrap server is used for receiving a first public key sent by the terminal; for identifying the terminal identification; the terminal is used for configuring a second private key ciphertext of the terminal to the terminal;
the lwm2m server is used for realizing signal communication between the bootstrap server and the first cipher machine;
the first cipher machine is used for distributing the plaintext of the second private key; the first cipher machine is used for sending the first public key and the second private key to a second cipher machine;
and the second cipher machine is used for encrypting the plaintext of the second private key to obtain the ciphertext of the second private key.
5. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a program, which is executed by a processor to perform the method according to any one of claims 1-3.
CN202010658367.8A 2020-07-09 2020-07-09 Online key distribution method, system and medium Active CN111769940B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010658367.8A CN111769940B (en) 2020-07-09 2020-07-09 Online key distribution method, system and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010658367.8A CN111769940B (en) 2020-07-09 2020-07-09 Online key distribution method, system and medium

Publications (2)

Publication Number Publication Date
CN111769940A CN111769940A (en) 2020-10-13
CN111769940B true CN111769940B (en) 2023-02-03

Family

ID=72725842

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010658367.8A Active CN111769940B (en) 2020-07-09 2020-07-09 Online key distribution method, system and medium

Country Status (1)

Country Link
CN (1) CN111769940B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112332986B (en) * 2020-12-06 2023-03-28 武汉卓尔信息科技有限公司 Private encryption communication method and system based on authority control

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105706469A (en) * 2013-09-13 2016-06-22 沃达方Ip许可有限公司 Managing machine to machine devices
CN106656510A (en) * 2017-01-04 2017-05-10 天地融科技股份有限公司 Encryption key acquisition method and system
CN109347635A (en) * 2018-11-14 2019-02-15 中云信安(深圳)科技有限公司 A kind of Internet of Things security certification system and authentication method based on national secret algorithm
GB201901421D0 (en) * 2019-02-01 2019-03-20 Arm Ip Ltd Machine-to-machine communication mechanisms
CN109547205A (en) * 2017-09-22 2019-03-29 中国电信股份有限公司 Authentication method and device, internet-of-things terminal
CN109995701A (en) * 2017-12-29 2019-07-09 华为技术有限公司 A kind of method, terminal and the server of equipment guidance
CN111130803A (en) * 2019-12-26 2020-05-08 信安神州科技(广州)有限公司 Method, system and device for digital signature

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105706469A (en) * 2013-09-13 2016-06-22 沃达方Ip许可有限公司 Managing machine to machine devices
CN106656510A (en) * 2017-01-04 2017-05-10 天地融科技股份有限公司 Encryption key acquisition method and system
CN109547205A (en) * 2017-09-22 2019-03-29 中国电信股份有限公司 Authentication method and device, internet-of-things terminal
CN109995701A (en) * 2017-12-29 2019-07-09 华为技术有限公司 A kind of method, terminal and the server of equipment guidance
CN109347635A (en) * 2018-11-14 2019-02-15 中云信安(深圳)科技有限公司 A kind of Internet of Things security certification system and authentication method based on national secret algorithm
GB201901421D0 (en) * 2019-02-01 2019-03-20 Arm Ip Ltd Machine-to-machine communication mechanisms
CN111130803A (en) * 2019-12-26 2020-05-08 信安神州科技(广州)有限公司 Method, system and device for digital signature

Also Published As

Publication number Publication date
CN111769940A (en) 2020-10-13

Similar Documents

Publication Publication Date Title
JP7119040B2 (en) Data transmission method, device and system
EP3642997B1 (en) Secure communications providing forward secrecy
CN107810617B (en) Secret authentication and provisioning
CN113259329B (en) Method and device for data careless transmission, electronic equipment and storage medium
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
EP3476078B1 (en) Systems and methods for authenticating communications using a single message exchange and symmetric key
CN109800588B (en) Dynamic bar code encryption method and device and dynamic bar code decryption method and device
CN110868291B (en) Data encryption transmission method, device, system and storage medium
US20210367767A1 (en) Methods and systems for secure network communication
CN114024676B (en) Post-quantum encryption and decryption method, system, equipment and medium based on identity identification
CN112804205A (en) Data encryption method and device and data decryption method and device
CN103036880A (en) Network information transmission method, transmission equipment and transmission system
CN112087428B (en) Anti-quantum computing identity authentication system and method based on digital certificate
CN110365662A (en) Business approval method and device
CN111917710A (en) PCI-E cipher card, its key protection method and computer readable storage medium
JP2020532177A (en) Computer-implemented systems and methods for advanced data security, high-speed encryption, and transmission
CN111769940B (en) Online key distribution method, system and medium
CN101150399A (en) Generation method for share secret key
CN115842625A (en) Encryption method and system based on PKI system real-time negotiation key
KR101793528B1 (en) Certificateless public key encryption system and receiving terminal
JPH11231776A (en) Method and device for issuing certificate
CN115883183A (en) Cross-domain safety interconnection method and device of industrial control system
WO2022229971A1 (en) System and method for collective trust identity and authentication
CN117615471A (en) FPGA-based wireless communication data security transmission system and method
CN115442127A (en) Transmission data processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant